►
From YouTube: How to Work in Cloud Native Security: Demystifying the Security Role - Justin Cormack, Docker
Description
Don’t miss out! Join us at our upcoming events: EnvoyCon Virtual on October 15 and KubeCon + CloudNativeCon North America 2020 Virtual from November 17-20. Learn more at https://kubecon.io. The conferences feature presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
How to Work in Cloud Native Security: Demystifying the Security Role - Justin Cormack, Docker
Working in security can be intimidating and the shortage of people in the space makes hiring difficult. But especially in cloud native environments, security is something everyone must own. If you’ve ever asked yourself, “what does it take to work in security in a cloud native environment? How can you move into security from a dev or an ops position? Where should you start and what should you learn about?” then this talk is for you. Justin Cormack, Security Lead at Docker and member of CNCF SIG Security will share his personal experience gradually moving from ops to dev to security, the reasons for his transitions, and what he learned along the way. He will break down why security really is one of the most interesting and different areas to specialize in and why working in security might be for you.
https://sched.co/Zeiz
A
Hello,
everybody
I'm
here
today
to
talk
about
how
to
work
in
cloud
native
security
and
what
the
security
role
involves
and
how
to
get
involved.
If
you
want
to
move
into
security,
if
you
don't
know
me,
I'm
justin
cormack
I've
been
at
docker
for
five
years
now.
As
an
engineer,
I'm
also
on
the
cncf
technical
oversight
committee.
I
live
in
cambridge
uk
and
I'm
at
justin
cormac
on
most
of
the
internet,
I'm
so
I'm
quite
easy
to
find.
If
you
remember
my
name,
this
is
cambridge.
A
It's
up
the
road
from
where
I
live,
where
I've
been
spending
my
time
in
lockdown.
This
is
a
sort
of
kind
of
I
like
to
see
cambridge
as
a
kind
of
tech
village.
It's
really
you
got
technology
and
farms
and
fields
right
next
to
each
other,
which
is
kind
of
nice.
These
are
this
is
radio
telescopes,
where
right
by
where
pulsars
were
discovered
50
years
ago,
I
kind
of
got
into
security.
A
By
mistake,
I
didn't
ever
set
out
to
be
a
security
person,
so
I
think
I've
probably
got
quite
a
good
idea
about
how
to
get
there
by
mistake.
If
you
want
to
get
there
by
mistake,
or
even
on
purpose,
I
I
started
off
being
exposed
to
security
for
the
first
time.
Really,
when
I
was
many
years
ago,
I
was
at
university,
I
was
working
as
a
sis
admin
and
every
machine
had
a
public
ipa
address
and
that
really
did
make
us
a
interesting
target
for
people
not
really
to
hack
us.
A
A
After
that
I
kind
of
drifted
away
from
that,
starting
other
things
I
moved
into
development.
I
worked
in
financial
services,
got
exposed
to
risk
management
and
the
idea
of
you
know
taking
you
know,
taking
calculated
risks,
which
was
a
useful
idea
from
the
security
point
of
view,
and
I
spent
a
lot
of
time
learning
the
internals
of
things
which
I
think
is
really
useful.
I
spent
a
lot
of
time
in
the
internals
of
linux
when
I
was
working
on
uni
kernels.
A
You
know
you
have
to
understand
linux
if
you're
trying
to
replace
it,
and
I
did
write
some
fun
blog
posts
like
eleven
cisco's,
the
sark
and
eleven
cisco's
that
rock
the
world.
You
know
just
about
the
obscure
corners
of
that
world.
You
know
it's
kind
of
you
know,
kind
of
fun
and
there's
a
lot
of
detail
and,
and
things
inside
that's
useful
to
know
when
I
started
docker,
I
the
first
security
related
thing
I
did
was
work
with
jessie
frazelle
on
the
setcom
filtering
for
docker.
A
I
still
maintain
that
it's
kind
of
interesting
I
actually
can
just
spend
some
time
working
on
a
bit
more
rewriting
the
policy
a
bit
from
the
experience
we've
had.
It's
also
interesting,
because
kubernetes
has
been
trying
to
build
a
standard
take
on
policy
for
some
years
now,
and
this
has
been
taking
a
long
time,
but
it's
an
interesting
area
so
and
it
really
helps
knowing
the
internals
of
the
system
calls
that
you're
filtering
there
about
three
years
ago.
A
I
moved
full
time
onto
the
security
team
at
docker
and
then
I
led
the
security
team
for
a
while
and
now
I'm
back
to
not
just
doing
security.
I
also
do
I'm
a
I've,
become
a
generalist
again,
I'm
a
senior
engineer
across
everything
we
do
at
docker,
so
kind
of
moved
around
to
and
from
security
in
my
career.
A
I'm
also
involved
a
lot
in
the
security
community.
I
was
particularly
with
cncf
security
that
started
a
couple
of
years
ago
as
a
safe
working
group,
and
then
we
turned
it
into
an
official
cncf
group
and
it's
become
very
successful
so
to
get
involved
if
you're
interested
we've
got
talks
at
cubecard,
of
course,
and
it's
we've
basically
been
involved
in.
A
I
also
I'm
maintainer
of
notary,
which
is
the
cncf
project,
and
I've
been
spending
a
lot
of
time
since
november
or
so
working
on
notary
v2,
which
is
a
rewrite
and
reworking
of
the
whole
security
model.
For
container
signing
with
amazon,
microsoft,
new
york,
university
and
other
people,
so
that's
really
been
a
really
interesting
project
and
good
fun.
Again,
we
have
talks
at
kubecon
about
that.
So
come
along,
listen
to
them!
I'm
a
security
advisor
for
container
d,
now,
the
container
d
project.
So
that's
a
new
role.
A
A
I
was
really
interested
in
having
a
talk
about
what
maintenance
is
about
in
security,
not
just
writing
new
things,
and
you
know
developing
new
protocols,
but
actually
just
maintaining
a
the
world
of
cryptography
that
end
users
in
the
programming
language
use
is
great
talk
and
kate.
Till's
talk
on
making
npm
install
safe,
which
is
all
about
programming
language
security.
How
we
can
make
it
so
that
you
can
import
something
with
npm,
but
it
doesn't
have
capabilities
to
do
to
own
everything
in
your
in
your
program
and
do
anything
it
wants.
A
So
how
can
we
restrict
capabilities?
So
again?
Another
great
talk-
and
I
think
these
kinds
of
things
are
very
important
in
terms
of
bringing
security
to
a
wider
audience,
also
worked
on
the
noise
protocol
framework,
which
is
a
kind
of
alternative
to
tls,
but
based
on
simple
cryptographic.
Primitives
is
really,
I
learned
an
awful
lot
just
helping
work
on
the
spec
and
doing
pieces
around
that
also
got
an
interesting
capability
based
security.
I've
done
some
talks
on
that
kind
of
neglected
areas
of
security.
A
I
guess
there's
lots
to
learn
and
I
think
that
learning
about
the
broader
area
is
really
important.
You
know
to
give
you
a
better
perspective
on
what's
going
on
and
why
things
are
like
that
and
what
the
problems
with
security
actually
are
the
most
important
things
you
can
learn.
I
think
in
security
I
talked
about,
you
know
knowing
sort
of
system
goals
and
things
and
networking
knowing
some
areas
in
detail
is
incredibly
important,
both
for
offensive
and
defensive
security.
A
You
know
security
issues
are
the
real
boundaries
of
the
usual
need
to
play
around,
understand,
break
things
fix
things
get
deep
inside
the
internals,
and
you
know
the
protocols
and
the
implementations
and
and
so
on.
So
there's
a
there's.
A
lot
of
detail
work,
that's
important,
but
it's
not
just
about
code.
Security
is
very
much
not
about
code.
A
It's
important
to
spend
time
in
the
real
world
with
real
people
who
are
using
code
using
computers.
You
have
got
problems,
feel
empathy
for
them
and
understand
what
their
problems
are
and
what
they're
trying
to
solve
it's
it's
most
of
the
time.
People
don't
think
about
security,
don't
care
about
it!
It's
not
an
important
thing.
A
You
know
it's
not
something
they
deal
with
on
their
daily
basis,
so
you
have
to
not
be
the
person
who
comes
along
and
like
in
this
drawing
just
you
know,
locks
things
up
and
takes
away
the
key
and
says
this
is
secure.
Now,
because
I've
got
the
key
and
you
haven't,
you
know
the
best
security
is
there
supporting
how
people
work
is
not
making
them
making
things
difficult
for
them,
and
that's
really
really
important.
That's
what
you're
trying
to
do
you're
trying
to
help
people
you're
not
trying
to
lock
things
up.
A
The
follow
on
from
that
slide
is
the
slide
where
you
know
the
user
can't
use
the
locked
up
cooker,
which
is
all
nice
and
safe
and
secure,
but
it
has
to
improvise
and
then
sets
things
on
fire.
Okay,
that's
you
know.
The
reality
is
that
users
have
to
get
things
done
and
if
they
have
to
get
things
done
by
with
the
tools
they
have,
they
will
and
those
tools
might
not
be
so
suitable.
So
you
need
to
be.
A
Also,
I
think
it's
really
important
to
both
break
things
and
fix
things
as
a
sort
of
divide
in
the
security
world
between
sort
of
black
out
white
hat.
You
know
the
breaking
things
and
fixing
things
it's
a
not
actually
a
great
divide.
I
think
that
just
breaking
things
is
not
sufficient
to
be
a
fully
rounded
security
person.
You
need
to
also
learn
how
to
fix
things,
because
it's
actually
difficult,
there's
compromises
and
the
messy
real
world
things
we're
talking
about.
You
know:
there's
there
was
actually
a
post
to
the
learner's
colonel
mailing.
A
A
You
help
your
colleagues
out
wanting
you
know
being
angry
about
the
state
of
the
world
from
the
security
point
of
view
is
kind
of
good
in
a
way
because
we
have
to
get
it
better,
but
just
burning
everything
down
is
not
the
answer.
We've
really,
you
know
you've
got
to
work,
how
we
fix
the
stuff,
that's
there
how
we
encourage
people
to
change,
how
they
do
things
and
so
on.
So
there's
breaking
and
fixing
and
working
with
other
people
is
really
important.
A
Working
with
other
people
actually
is
very
important
in
working
security
is
not
just
an
engineering
job.
You
get
to
meet
everyone
else
in
the
company
as
well.
You
get
to
meet
your
lawyers.
These
are
these.
People
are
lovely
people
to
work
with.
You
know
they,
you
have
to
get
to
know
them.
You
have
to
understand
how
they
work,
how
they,
what
how
they
want
you
to
write
things
down
or
not,
write
things
down,
and
that's
really
you
know
not.
A
You
know
I
got
way
more
exposure
to
lawyers
when
I
was
working
in
security
than
before.
You'll
meet
your
pr
team,
because
security
issues
are
communication.
Issues
too,
I
was
lucky
to
work
with
a
really
great
woman
who
had
worked
at
intel
doing
spectrum
meltdown.
She
was,
she
really
had
a
was
good
at
keeping
calm
and
working
how
to
communicate
things
really
really
good
to
learn
from
these
people
as
well.
But
so
yes,
that's
important
too.
You
know
security
is
a
you
know.
A
Security
instance,
and
things
are
difficult
stories
to
tell
and
difficult
things
to
explain
and
it's
it's
difficult
work
and
there
are
people
who
are
really
good
at
this.
So
you
need
to
work
with
them.
If
the
cell
security
is
a
business,
you
have
to
explain
to
people
why
it
matters
and
which
things
matter
more
and
which
risks
are
important
and
which
are
not
so
important.
A
A
You
know
just
spending
the
time
doing
security
fixes
if
you
then
run
out
of
money,
but
then,
on
the
other
hand,
when
things
are
important,
they
have
to
get
down
and
it's
important
to
be
able
to
persuade
people
about
those
things
and
security
products
and
a
really
interesting
part
of
work
too,
and
just
adding
security
features
to
it
to
products
that
you
have
to
be
able
to
work
with
the
product
team
and
work
out,
which
things
would
make
a
good
product
and
then
so
on.
So
there's
a
whole
lot
of
product
work.
A
You
know
the
whole
of
the
role
and
it's
really
important
to
to
understand
that
and
think
about
those
other
parts
of
the
world
as
well.
There's
a
lot
of
demand
for
security
people.
The
estimate
I
could
find
was
that
they
would
be
three
and
a
half
million
unfilled
security
jobs
worldwide
in
2021.
I
don't
know
if
that
figure's
really
accurate
or
what
it
means,
and
you
know,
are
there?
A
Are
there
gonna
be
you
know
if
three
and
a
half
million
jobs
don't
get
filled,
what
happens
and
so
on?
But
I
mean
it's:
it
is
an
increasingly
important
area.
It's
definitely
hard
to
hire
people.
I
spent
a
lot
of
time
doing
hiring
and
it's
really
difficult
to
find
people,
and
so
I
do
believe,
there's
a
shortage,
and
you
know
salaries
are
good
in
security
and-
and
I
don't
know
if
that
entirely
reflects
three
and
a
half
million
shortage
or
anything.
A
But
you
know
it's
definitely
a
role
where
there
is
definitely
demand
and
you
don't
need
formal
security
qualifications.
You
don't
need
to
be
in
a
kind
of
hacker
who's,
hacked
high-profile
websites
and
been
arrested
or
anything.
You
don't
need
to
be
a
great
developer
to
work
in
security
either.
Necessarily
you
need
to
be
able
to.
I
mean
I
think,
that
for
all
kind
of
roles
in
computing
being
able
to
code
is
useful,
but
reading
code
is
a
really
important
skill
in
security.
A
You've
got
to
be
able
to
understand
other
people's
code,
find
bugs
in
other
people's
code,
find
security
issues
in
other
people's
code,
so
reading
code
is
actually
important
understanding
code,
finding
things
that
are
likely
to
be
a
problem
being
able
to
find
out
where,
in
the
code,
they're
implemented.
If
you're,
you
know
finding
issues
in
open
source
code
which
a
lot
of
the
time
you
are
now
rather
than
close
source
code,
you
spend
less
time
actually
reverse
engineering.
A
A
Everything
is
coded
in
cloud
native.
That's
the
really
important
thing
before
cloud
native.
We
actually
had
a
you
know.
We
there
was
a
thing
like
there
was
hardware,
security
and
hardware.
Security
was
kind
of
you
know.
Firewalls,
were
you
know
physically
wired
up
with
cables.
There
was
this
amazing
thing
called
the
data
diode,
which
is
kind
of
weird
bit
of
history.
A
You
know
your
firewall
is
just
another
piece
of
software,
your
your
cloud
provider.
You
know
it's
just
has
networking
that
you
can
reconfigure
in
any
way
you
want
you.
Can
you
make
any
type
of
service
talk
to
any
service
if
you
just
rewire
the
infrastructure,
so
everything's
just
code?
So
you
can't
you
there's
no
sharp
separation
anymore.
So
this
really
changes
everything
about
security
because
it
changes.
You
know
what
what
matters
about
security
changes.
You
know
the
the
separation
of
concerns.
A
You
can't
separate
security
from
development
and
operations
anymore.
We
have
this
kind
of
devsecops
idea.
Now
that
you
know
operations,
development
and
security
have
to
work
together
because
there
isn't
these.
There
aren't
these
hard
physical
lines
where
things
can't
cross
and
things
can
only
go
in
one
direction.
You
have
to
program
them
to
only
go
in
one
direction.
A
Also,
everything's
check
can
change
much
more
quickly.
You
can
redeploy
code
multiple
times
a
day
and
each
of
those
free
deploys
could
break
the
security
model.
So
there's
you
know,
you
have
to
be.
There's
no
kind
of
you
know
review
panel
once
a
quarter
for
security
changes
or
anything
like
that.
Everything
has
to
be
tested
in
real
time.
A
There's
new
places
to
attack
supply
chain
attacks
have
become
a
real
focus
recently
because,
if
everything's
code
well,
if
you
can
modify
the
code
or
modify
the
way
that
the
code
is
being
up,
the
updates
of
the
software
are
going
to
another
computer.
Then
you
can
basically
change
everything's,
been
deployed
and
add
backdoors
or
remove
security
pieces
or
whatever,
so
everyone
has
to
get
involved
in
this
together.
A
You
know
so
we're
we're
not
there.
Yet
it's
important
to
you
know
on
as
your
journey
to
to
being
someone
who
works
in
security
if
you're
working
as
a
developer.
Now
you
know,
one
of
the
things
you
can
do
is
just
spend
time
working
and
understanding
the
security
in
the
code
you
work
on.
I
understand
the
threat
model.
This
threat,
modeling
book
by
adam
schuster,
is
really
good.
A
I
just
understand
how
to
think
about
threat
models,
think
about
which
bits
of
your
code
matter
where
whose
response
which
bit
of
code
is
responsible
for
protecting
what,
but
just
it's
really
important
just
to
you
know,
take
that
time
and
think
about
the
you
know
the
domain
and
what
you,
what
your,
what
what
your
security
risks
and
threats
actually
are,
security
is
really
a
kind
of
thing
is:
is
a
kind
of
code
quality?
It's
an
interesting
kind
of
code
quality
because
you
know
code.
That
always
does
the
right
thing.
A
A
You
need
to
understand
the
issues
in
the
you
know
in
the
domain
you're
working
in
if
you're
working
on
websites,
you
know
cross-site
scripting
and
all
those
things
are
things
that
you
should
be.
You
know
they're
the
security
problems
in
your
field,
that
you
should
understand
and
understand
where
they
come
from
and
understand
how
you
fix
them
and
understand
how
you
how
you
can
either
test
for
them
or
not
make
those
mistakes
in
the
first
place.
You
know
they're
libraries,
you
can
use.
A
A
Again,
you
know,
as
you
roll
out
code,
you
don't
want
some
security,
some
vital
security
thing
to
be
missed
out
because
of
it
doesn't
get
deployed
correctly
or
whatever
some
of
those
tests
should
be.
You
know
when
you're
building
your
code,
but
you'll,
say
runtime
tests
are
really
useful
to
make
sure
like
if,
if
something
didn't
get
deployed,
that
leaves
your
security
open,
you
don't
want
to
fail
open.
You
want
to
fail
closed,
it's
worth
spending
time
to
think
like
an
attacker.
A
That
was
actually
one
of
the
things
I
didn't
know.
One
previous
role.
I'd
spent
allocate
some
time
on
mid
mid
monday
morning
to
find
security
bugs
and
the
products
I
was
working
on,
and
you
know
some
you'd
spend
spend
an
hour
or
two
each
week
and
try
and
attack
it
and
sometimes
you'd
find
something.
Sometimes
it
would
be
a
dead
end.
You
wouldn't
get
anywhere.
A
External
audits
are
really
valuable
because
those
are
other
people
looking
at
your
code
and
you
can
learn
from
the
way
other
people
look
at
your
code
and
the
things
that
they
find.
You
know
what
kind
of
problems
there
might
be
and
learn
more
about
security
from
that
and
help
you
on
your
journey
towards
becoming
a
security
person.
A
A
You
know
the
happy
path
in
in
programming
is
you
know
where
everything
works
as
intended?
It's
the
things
that
you
spend
time
writing
tests.
Well,
security
people
are
thinking
about
all
the
the
unhappy
things
and
you're
kind
of
living
away
from
that
people
become
paranoid
about
attackers.
The
attackers
are
out
to
get
you
that's
you
know,
can
be
a
problem
as
well.
A
So
it's
really
important
to
find
friends
outside
security
and
outside
your
out
completely
outside
your
work,
who
you
can
you
know,
spend
time
with,
and
it's
also
important
to
find
a
community
inside
security
as
well.
So
you
don't
feel
kind
of
so
so
alone
and
you
have
other
people
you
can
talk
to
about
the
kinds
of
things
that
you're
concerned
about.